hawkeye | bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
Size

1.0MB
MD5

788b37226d3f0a126a24396a0d4c90e4
SHA1

e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
SHA256

bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
SHA512

4eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
SSDEEP

24576:9BxT7o15hf9CMU07DKiWMNT8e7EloFmGzHaI49CpV:9LTslUMF7DsCEljGv4wL

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

natsv.exednsmon.exenatsv.exe

pid process

1700 natsv.exe
1068 dnsmon.exe
1736 natsv.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exenatsv.execmd.exe

pid process

1772 cmd.exe
1700 natsv.exe
1444 cmd.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1700	natsv.exe
1068	dnsmon.exe
1736	natsv.exe

pid	process
1772	cmd.exe
1700	natsv.exe
1444	cmd.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 whatismyipaddress.com
5 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
3	whatismyipaddress.com
5	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exednsmon.exeRegAsm.exe

description	pid	process	target process
PID 1884 set thread context of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1068 set thread context of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1644 set thread context of 956	1644	RegAsm.exe	vbc.exe
PID 1644 set thread context of 1016	1644	RegAsm.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exenatsv.exednsmon.exenatsv.exe

pid	process
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1700	natsv.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
1068	dnsmon.exe
1068	dnsmon.exe
1068	dnsmon.exe
1068	dnsmon.exe
1068	dnsmon.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe
1068	dnsmon.exe
1736	natsv.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exenatsv.exednsmon.exeRegAsm.exenatsv.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
Token: SeDebugPrivilege	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
Token: SeDebugPrivilege	1700	natsv.exe
Token: SeDebugPrivilege	1068	dnsmon.exe
Token: SeDebugPrivilege	1068	dnsmon.exe
Token: SeDebugPrivilege	1644	RegAsm.exe
Token: SeDebugPrivilege	1736	natsv.exe
Token: SeDebugPrivilege	956	vbc.exe
Token: SeDebugPrivilege	1016	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1644 RegAsm.exe

pid	process
1644	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.execmd.exenatsv.exednsmon.execmd.exenatsv.exeRegAsm.exe

description	pid	process	target process
PID 1884 wrote to memory of 956	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1884 wrote to memory of 956	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1884 wrote to memory of 956	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1884 wrote to memory of 956	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1644	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	RegAsm.exe
PID 1884 wrote to memory of 1772	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1884 wrote to memory of 1772	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1884 wrote to memory of 1772	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1884 wrote to memory of 1772	1884	bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe	cmd.exe
PID 1772 wrote to memory of 1700	1772	cmd.exe	natsv.exe
PID 1772 wrote to memory of 1700	1772	cmd.exe	natsv.exe
PID 1772 wrote to memory of 1700	1772	cmd.exe	natsv.exe
PID 1772 wrote to memory of 1700	1772	cmd.exe	natsv.exe
PID 1700 wrote to memory of 1688	1700	natsv.exe	cmd.exe
PID 1700 wrote to memory of 1688	1700	natsv.exe	cmd.exe
PID 1700 wrote to memory of 1688	1700	natsv.exe	cmd.exe
PID 1700 wrote to memory of 1688	1700	natsv.exe	cmd.exe
PID 1700 wrote to memory of 1068	1700	natsv.exe	dnsmon.exe
PID 1700 wrote to memory of 1068	1700	natsv.exe	dnsmon.exe
PID 1700 wrote to memory of 1068	1700	natsv.exe	dnsmon.exe
PID 1700 wrote to memory of 1068	1700	natsv.exe	dnsmon.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1280	1068	dnsmon.exe	RegAsm.exe
PID 1068 wrote to memory of 1444	1068	dnsmon.exe	cmd.exe
PID 1068 wrote to memory of 1444	1068	dnsmon.exe	cmd.exe
PID 1068 wrote to memory of 1444	1068	dnsmon.exe	cmd.exe
PID 1068 wrote to memory of 1444	1068	dnsmon.exe	cmd.exe
PID 1444 wrote to memory of 1736	1444	cmd.exe	natsv.exe
PID 1444 wrote to memory of 1736	1444	cmd.exe	natsv.exe
PID 1444 wrote to memory of 1736	1444	cmd.exe	natsv.exe
PID 1444 wrote to memory of 1736	1444	cmd.exe	natsv.exe
PID 1736 wrote to memory of 364	1736	natsv.exe	cmd.exe
PID 1736 wrote to memory of 364	1736	natsv.exe	cmd.exe
PID 1736 wrote to memory of 364	1736	natsv.exe	cmd.exe
PID 1736 wrote to memory of 364	1736	natsv.exe	cmd.exe
PID 1644 wrote to memory of 956	1644	RegAsm.exe	vbc.exe
PID 1644 wrote to memory of 956	1644	RegAsm.exe	vbc.exe
PID 1644 wrote to memory of 956	1644	RegAsm.exe	vbc.exe
PID 1644 wrote to memory of 956	1644	RegAsm.exe	vbc.exe
PID 1644 wrote to memory of 956	1644	RegAsm.exe	vbc.exe
PID 1644 wrote to memory of 956	1644	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
"C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
2⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1688

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
7⤵
PID:364

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
8⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
321B

MD5
e62221a3bb549a72fcc4afa60d34e620

SHA1
d60b16b540e0e3ed459a30cce0678d1fc8a1989a

SHA256
587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95

SHA512
5b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
321B

MD5
c3609e29395ccd5fd8407fed36414e75

SHA1
04c0c5dc3fcced0c5581c44af17fa60260fb591a

SHA256
a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857

SHA512
8bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.0MB

MD5
788b37226d3f0a126a24396a0d4c90e4

SHA1
e6cf3e41c10e7dbbf9aba2a9c661124b794c0068

SHA256
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7

SHA512
4eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.0MB

MD5
788b37226d3f0a126a24396a0d4c90e4

SHA1
e6cf3e41c10e7dbbf9aba2a9c661124b794c0068

SHA256
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7

SHA512
4eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
89f03f7d02720160f1b04cf5b27f5ccb

SHA1
cbf641003962d3b22ea5aeb9164c4cff46a13515

SHA256
f7d9615965e2b49c6bde79dedfdecc39afade6e543922d5d023fda9d13430c44

SHA512
b86aa582e4cbffc73c377a673ee2364627f267fe71a97a95b1cfcbb2c79373da88190563f456a178d9d734daeeb5f1e12df41d61ce6c4b50cbcd03f506cb0642

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
7d0f29a8d29738edf7270a5e7f1fbf6b

SHA1
1dec7f3f2ec534f6ef7d0cce550660bfa56a0edd

SHA256
662facad877e2ec240eda39dc73ac1ac91d64365265783d141d7ed55ba734fcb

SHA512
4f766f334e041177aa12448055109f67d47f67e55a505f562d82a299b74230dde19a26470415f21c944fde1a92166b7dc3a718924e44d095dd77c3e8a73e21a0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.0MB

MD5
788b37226d3f0a126a24396a0d4c90e4

SHA1
e6cf3e41c10e7dbbf9aba2a9c661124b794c0068

SHA256
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7

SHA512
4eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
memory/364-109-0x0000000000000000-mapping.dmp

Download
memory/956-122-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/956-118-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/956-111-0x0000000000442FBF-mapping.dmp

Download
memory/956-110-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/956-115-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1016-123-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1016-124-0x0000000000442C62-mapping.dmp

Download
memory/1016-127-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1016-129-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1068-120-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1068-81-0x0000000000000000-mapping.dmp

Download
memory/1068-84-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-93-0x00000000004E1E9E-mapping.dmp

Download
memory/1280-107-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-130-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-119-0x00000000002A6000-0x00000000002B7000-memory.dmp

Filesize
68KB

Download
memory/1444-97-0x0000000000000000-mapping.dmp

Download
memory/1644-68-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1644-58-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1644-77-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-132-0x0000000000166000-0x0000000000177000-memory.dmp

Filesize
68KB

Download
memory/1644-57-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1644-60-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1644-61-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1644-62-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1644-63-0x00000000004E1E9E-mapping.dmp

Download
memory/1644-86-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-65-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1644-117-0x0000000000166000-0x0000000000177000-memory.dmp

Filesize
68KB

Download
memory/1688-75-0x0000000000000000-mapping.dmp

Download
memory/1700-76-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1700-72-0x0000000000000000-mapping.dmp

Download
memory/1700-85-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-103-0x0000000000000000-mapping.dmp

Download
memory/1736-108-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-131-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1748-116-0x0000000000000000-mapping.dmp

Download
memory/1772-67-0x0000000000000000-mapping.dmp

Download
memory/1884-112-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-78-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download